craft clever phishing emailattach a pdf or excel sheet with embeded flash object which sets up a reverse shell connectionWait for them to open it Drop backdoors

Proceed with recon!

I keed I keed. Depends on your goal. With the Windows attacks, much of them have been due to 3rd party software not being patched rather than an actual flaw in Windows.

With SQL many times the built in SA account isn't properly secured or utilizes the same admin password as say the local admin of the computer. If they are old versions of Windows (XP/2003) then you have more options. If they are newer versions (7/2008) then you will have your work cut out for you. If they have been hardened, it will be that much tougher.

That is a good point hayabusa but if that the case if nessus reports mysql using default credentials how can you confirm this as you cant really report an issue to client without being sure it is an issue.

TheXeroI plan on doing OSCP but it just getting the money sadly my company wont pay for me as they prefer to train in house but I am trying to progress my training myself but as I am only junior don't get paid that much.

Jamie.R - in that case, you'd need to look for SQL- or command-injection to be able to pass root's login via a web app. I recall having to do EXACTLY that, when I was helping beta test for the US Cyber challenge, a couple of summers ago.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

Cool will look into that does anyone have any good links for leaving more about windows ? I mean I have used windows for about 14 years at home but not really in a business environment so have not dealt with domain controllers and stuff like that.

smb - look for missing patches and public exploits. you can also dictionary attack smb for credentials. i'd start with username "administrator" You can also capture hashes for smb creds and use these in pass the hash techniques. There are a number of ways to do this.

ldap - if anonymous ldap sessions are allowed you can enumerate this service for lots of juicy info.

ms sql - look for missing patches. Better yet, if you can get creds for SA then more than likely they have xp_cmdshell functioning and you can get root, easy. You can get creds by dictionary attack, SE, or existing odbc connections.

snmp - again, dictionary attack. If you can find out the community string, you can likely read/write entire server configurations. This is a very powerful, yet often overlooked security issue on corporate lans.

I would recommend getting a copy of MSDN and installing your own AD environment so you can see all the moving parts of an AD environment. This is paramount to successful pentesting since most orgs use AD in one fashion or another.

Win XP in a domain environment, with a default Sec Policy, will cache up to 5 passwords I think. I have to look at my lab DC. But yeah XP even with SP3 is still a pretty good target. Now if the Sys admin in the domain is doing it write, Windows Firewall is enabled so many of the attacks might not work.

Also I think by default MS SQL will not allow network connections until you go into the config and turn it on. MySQL may do the same thing.

Just because Nessus says it so, doesn't mean it is. Get the MSSQL Management tool, this will allow you to test for connections. Also NMAP has a nifty script to locate systems broadcasting services such as DNS, SQL and other types.

nmap -P0 --script=broadcast

It will run a series of broadcast scripts. If you want to see the details y ou can view them in the nmap/scripts folder. There is also one for listening for Dropbox LAN sync broadcasts >D

I think the system admin/network admin stuff is incredibly important to be a good pentester, so you definitely should learn all about AD. There are a few options:

- Start working helpdesk or sys/network admin roles- Get your MCITP- Spend $200 and get a subscription to MSDN so you can download and play with every piece of software MS makes. Then, set up your own AD domain, exchange server, sql server etc. etc. etc.

I really believe the network work is huge, simply because if you pop a box on a network, will you know where to go next? Would you know how to pull data off a sql server? Would you know how to export email off an exchange server? Just a few simple things, but can be incredibly valuable to a client because getting domain admin might not mean as much to them as stealing the CEO's email.